While working on a project for my company, I needed to build functionality that allows users to import/export data to/from our competitor's site. While doing this, I discovered a very serious security exploit that could, in short, perform any script on the competitor's website.

My natural feeling is to report the issue to them in the spirit of good-will. Exploiting the issue to gain advantage crossed my mind, but I don't want to go down that path.

So my question is, would you report a serious vulnerability to your direct competition, in order to help them? Or would you keep your mouth shut? Is there a better way of going about this, perhaps to gain at least some advantage from the fact that I'm helping them by reporting the issue?

Update (Clarification):

Thanks for all your feedback so far, I appreciate it. Would your answers change if I were to add that the competition in question is a behemoth in the market (hundreds of employees in several continents), and my company only started a few weeks ago (three employees)? It goes without saying, they most definitely will not remember us, and if anything, only realize that their site needs work (which is why we entered this market in the first place).

This might be one of those moral vs. business toss-ups, but I appreciate all the advice.

Report it anonymously from a disposable email address from behind a proxy without any ties to your current workplace.
–
JobFeb 17 '11 at 22:59

14

Why does the size of the company have any bearing on what constitutes ethical behavior?
–
JohnFxFeb 17 '11 at 23:32

6

There's a little anecdote about a guy who tried to sell Pepsi some secrets from Coke...Pepsi called the cops on him. No matter how intense rivalries can be, competition should always be based on fair and ethical business practices. If you guys are better, you'll beat them regardless of how big or entrenched they are. It may not happen over night, but look at the browser wars. Slowly but surely alternatives are taking share away from IE even with IE preinstalled!
–
Chris ThompsonFeb 18 '11 at 2:00

@JohnFx +1: spot on question sir! We could even use the same argument if the situation was reversed: "my company is a well-established and respected behemoth and theirs is only a small company which would likely fail sooner or later anyway." Regardless of the relative size of the companies, the ethics are the same.
–
bedwyrFeb 18 '11 at 5:18

14 Answers
14

Though I'd love to live in a world where it would be perfectly safe to just drop them a note to let them know, I'd suggest involving your legal department first. Realistically, it's entirely possible that however well intentioned your bug report is, someone in the competitor's organization will interpret it as "our competitor just paid one of their employees to hack our site". That perception could create legal or PR issues for both you and your company. Involving your legal department in the notification should help shield everyone from the appearance of impropriety. Of course, that creates the possibility that the legal department concludes that notifying the competitor creates an unacceptable legal risk and tells you just to sit on the information. But that's much better than the alternative that it all blows up in your face.

+1 for being realistic. Don't do anything illegal, sure. Immoral? In business, there is no moral or immoral. Company does not have such a thing as concept of morality.
–
Davor ŽdraloFeb 17 '11 at 23:22

3

@HorusKol - the +1 isn't going to pay salaries and costs for the company. Offering a better product than your competitor however, might.
–
JasFeb 18 '11 at 13:55

3

-1. This kind of thinking is a classic example of the Tragedy of the Commons. Security holes are everyone's problem.
–
Mason WheelerFeb 18 '11 at 18:02

5

@Mason Wheeler: The tragedy of the commons is a dilemma arising from the situation in which multiple individuals, acting independently and rationally consulting their own self-interest, will ultimately deplete a shared limited resource even when it is clear that it is not in anyone's long-term interest for this to happen. I don't see how this is applicable here.
–
user17610Feb 18 '11 at 18:25

3

Frankly I am shocked that you would suggest not telling your competitor about their security bug. Why not file a bug report in the form of a press release or promotional email. Such bug report should note the absence of said bug in your product and the potential implications for users.
–
emoryApr 22 '12 at 7:35

An alternative mechanism, not yet suggested AFAICS, of getting the information to your competitor with no risk to your own company is to let one of the various vulnerability reporting companies know about the vulnerability - and ask them to report it to your competitor. They (the vulnerability reporting company) would keep your name out of the report - you'd be anonymous to your competitor. One such company is the Zero Day Initiative, ZDI - there are a number of others.

Leak it to the media, anonymously of course, and then offer quick migration to customers of the competitor. This might seem like a low blow, but consider this, there is nothing illegal or unethical about what you are doing, further consider it is a dog eat dog world in SW and as David going against Goliath you are going to need all the leverage. Remember, it's not personal, it's strictly business. They would do the same to you in a heartbeat.

(FWIW I fully expect this answer to be down-voted, but that's OK because what I am saying is the truth albeit a harsh one.)

What would you like them to do if they found a security vulnerability in your software? That should be the first question you ask. If the answer is "I would really appreciate it if they told me", well, then you have your answer!

It doesn't matter that they are a giant company or a three person shop, and it doesn't matter that you are a three person shop or a giant company. As has been said, your reputation is everything, especially in this small community known as software.

Isn't doing the opposite of what the competition wants a normal business strategy?
–
user17610Feb 17 '11 at 21:53

@user17610 - I guess that depends on the situation... can't make a blanket statement and make all your decisions by that. If your competition wants to make boatloads of money, are you going to do the opposite?
–
Jesse McCullochFeb 17 '11 at 21:58

No, then I'll ensure that they don't make boatloads of money ;)
–
user17610Feb 17 '11 at 22:01

2

+1 for "what would you like them to do if they found the vulnerability in your software?"
–
CraigeFeb 18 '11 at 0:40

-1: I would like them to tell me, because subsequently accusing them of industrial espionage will help corrode their market share! Never assume benevolence in your competitor...
–
recursion.ninjaOct 5 '13 at 16:33

If "out of the goodness of your heart" isn't a good enough reason, consider that you are implementing this feature as a benefit for your own customers. You're indirectly protecting their data by reporting this bug.

In principle, I totally agree with what most here say: Step up and report it. There is a professional code of honour like out on sea: If a ship's in trouble, you help, no matter who it belongs to.

Reading your update, however, I'd probably decide against telling them because of the risk that the well-intentioned action might be taken the wrong way (as industrial espionage as @Uri says), and lead to hostilities that are much more dangerous to your three-man shop than they will ever be to them.

Maybe drop an anonymous note; maybe not do anything at all. If you're David, you don't have to tell Goliath that he's got a bee sitting on his back.

Nature, despite its harsh sides, has its kind occasions. And acts them out without thinking twice.

Dog does not eat dog. Rather, bored people pay for illegal dog fights. And Lawyers collect the money. Including from your Boss. More than you want to now.
They can happily drain startups without blinking.

Also very possible, someone at "competitor"'s already knows. Bringing the news can mean more responsibilities than being a simple passing messenger. Is that better than talking to walls ?

Security business: Lots of servers with big holes are online. this one server is another one. Full time job for some. Have you checked your own holes ? all of them ?